me/guix
Archived
1
0
Fork 0
Code Activity

gnu: nss: Fix CVE-2019-11745 via graft.

Browse source 
* gnu/packages/patches/nss-CVE-2019-11745.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/nss.scm (nss/fixed): New variable.
(nss)[replacement]: Add field.
This commit is contained in:
Mark H Weaver 2019-12-10 18:20:51 -05:00
parent bc587eb178
commit 04b33ce205
No known key found for this signature in database
GPG key ID: 7CEF29847562C516
3 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
gnu/local.mk
View file

@ -1180,6 +1180,7 @@ dist_patch_DATA = \
%D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ngircd-handle-zombies.patch \
%D%/packages/patches/nm-plugin-path.patch \ %D%/packages/patches/nm-plugin-path.patch \
%D%/packages/patches/nsis-env-passthru.patch \ %D%/packages/patches/nsis-env-passthru.patch \
%D%/packages/patches/nss-CVE-2019-11745.patch \
%D%/packages/patches/nss-freebl-stubs.patch \ %D%/packages/patches/nss-freebl-stubs.patch \
%D%/packages/patches/nss-increase-test-timeout.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \
%D%/packages/patches/nss-pkgconfig.patch \ %D%/packages/patches/nss-pkgconfig.patch \

9
gnu/packages/nss.scm
View file

@ -71,6 +71,7 @@ in the Mozilla clients.")
(package (package
(name "nss") (name "nss")
(version "3.46.1") (version "3.46.1")
(replacement nss/fixed)
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (let ((version-with-underscores (uri (let ((version-with-underscores
@ -183,3 +184,11 @@ applications. Applications built with NSS can support SSL v2 and v3, TLS,
PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
security standards.") security standards.")
(license license:mpl2.0))) (license license:mpl2.0)))
(define nss/fixed
(package
(inherit nss)
(source (origin
(inherit (package-source nss))
(patches (append (search-patches "nss-CVE-2019-11745.patch")
(origin-patches (package-source nss))))))))

24
gnu/packages/patches/nss-CVE-2019-11745.patch Normal file
View file

@ -0,0 +1,24 @@
Fix CVE-2019-11745 (Out-of-bounds write when passing an output buffer smaller
than the block size to NSC_EncryptUpdate).
Copied from Debian, equivalent to upstream fix:
<https://hg.mozilla.org/projects/nss/rev/1e22a0c93afe9f46545560c86caedef9dab6cfda>.
# HG changeset patch
# User Craig Disselkoen <cdisselk@cs.ucsd.edu>
# Date 1574189697 25200
# Node ID 60bca7c6dc6dc44579b9b3e0fb62ca3b82d92eec
# Parent 64e55c9f658e2a75f0835d00a8a1cdc2f25c74d6
Bug 1586176 - EncryptUpdate should use maxout not block size. r=franziskus
--- a/nss/lib/softoken/pkcs11c.c
+++ b/nss/lib/softoken/pkcs11c.c
@@ -1285,7 +1285,7 @@ NSC_EncryptUpdate(CK_SESSION_HANDLE hSes
}
/* encrypt the current padded data */
rv = (*context->update)(context->cipherInfo, pEncryptedPart,
- &padoutlen, context->blockSize, context->padBuf,
+ &padoutlen, maxout, context->padBuf,
context->blockSize);
if (rv != SECSuccess) {
return sftk_MapCryptError(PORT_GetError());